Salsa20

Salsa20 is a modern and efficient stream symmetric cipher. It was designed in 2005 by Daniel Bernstein, research professor of Computer Science at the University of Illinois at Chicago.

Stream cipher with symmetric secret key

Key length = 32 bytes

Salsa20 is a cipher that was submitted to eSTREAM project, running from 2004 to 2008, which was supposed to promote development of stream ciphers. It is considered to be a well-designed and efficient algorithm. There aren't any known and effective attacks on the family of Salsa20 ciphers.

Salsa20 is a stream cipher that works on data blocks of size of 64 bytes.

Encryption

For each 64-byte data block, the algorithm uses the Salsa20 expansion function. The input to the function is the secret key (which can have either 32 or 16 bytes) and an 8-byte long nonce concatenated with an additional block number, which values change from 0 to 264-1 (it is also stored on 8 bytes). Every call to the expansion function increases the block number by one.

The core of Salsa20 encryption algorithm is a hash function which receives the 64-byte long input data from the Salsa20 expansion function, mixes it, and eventually returns the 64-byte long output. The Salsa20 hash function works on the received sequence of bytes, which consists of:

The hash function operates on data divided into words. Every word contains 4 bytes and can have values from 0 to 232-1. Therefore, the input data is 16-word long, a key contains 8 or 4 words, and the nonce has 2 words.

The output from the Salsa20 expansion function is added XOR to the 64-byte block of data. The result is a 64-byte block of ciphertext.

Decryption

The same algorithm should be used during decryption. The data should be divided into parts of the same size.

The output from the Salsa20 expansion function should be added XOR to the 64-byte block of ciphertext. The result is a 64-byte block of plaintext.

Other Salsa20 ciphers

There are also some other ciphers, which are based on the Salsa20 algorithm but differ in details.

The Quarterround Function can be performed in place, without the need of allocating any additional memory. First, x1 changes to y1, then x2 changes to y2, next x3 changes to y3, then x0 changes to y0. The Quarterround Function is invertible because all the modifications above are invertible.

Finally, the 16 words received as input are added (as described above) to the modified 16 words and changed to 64 new bytes using the Littleendian Function. The bytes are output from the Salsa20 Hash Function:output = littleendian-1(x0+w0) + littleendian-1(x1+w1) + ... + littleendian-1(x15+w15)

read more..

Salsa20 Expansion Function

show

The Salsa20 Expansion Function takes two sequences of bytes. The first sequence can have either 16 or 32 bytes and the second sequence (n) is always 16-byte long. The function returns another sequence of 64 bytes.

A nonce is an arbitrary number (often random or pseudo-random) used only once in a cryptographic communication. It ensures security of stream ciphers (makes keystream different for different messages) and that old communications cannot be reused in replay attacks.